The New NIST Cybersecurity Framework 2.0: An Update for All Organizations
Introduction
First introduced nearly a decade ago, the National Institute for Standards and Technology’s (NIST) Cybersecurity Framework has been a crucial tool in ensuring the security of critical infrastructure interests such as energy, banking, and hospitals. However, with the ever-evolving threat landscape, the framework has been expanded and updated to address the needs and challenges faced by organizations of all sizes. The recently released version 2.0 not only adds a new dimension to the framework but also acknowledges cybersecurity as a significant source of enterprise risk, ranking alongside legal, financial, and other risks for senior leadership consideration.
A Broader Approach to Cybersecurity
The NIST Cybersecurity Framework 2.0 builds upon the original framework’s five functions: identify, protect, detect, respond, and recover. However, it goes a step further by adding a sixth function, govern, which emphasizes the importance of effective cybersecurity management and governance. By including this additional dimension, the new framework recognizes that cybersecurity is no longer limited to critical infrastructure organizations. It acknowledges that every organization, regardless of its size or industry, faces cyber threats and must have a comprehensive plan in place for managing cyber hygiene and incident response.
Implications for Business
The expansion of the NIST framework to include organizations of all types is a crucial acknowledgment of the pervasive nature of cyber threats. Bud Broomhead, CEO at Viakoo, highlights that the update not only helps organizations with their basic cybersecurity functions but also extends to other areas of the enterprise. This broader perspective on cybersecurity will enable organizations to reduce their threat landscape, enhance their compliance measures, and better align with audit and insurance requirements. In particular, cyber insurance has become a critical consideration for organizations, and the updated framework will ensure that organizations are adequately prepared to meet the criteria for coverage.
Joseph Carson, chief security scientist and advisory CISO with Delinea, commends the framework’s expansion to address cybersecurity threats across all sectors. Carson highlights the importance of the new “Govern” pillar, which recognizes the changing landscape of cybersecurity strategy within organizations. This acknowledgment reflects the need for organizations to continuously adapt their response to evolving threats to ensure the overall security of their systems and networks.
Reflecting the Current and Future Usage of the Framework
Cherilyn Pascoe, NIST’s lead developer of the framework, emphasizes that the update aims to reflect both the current and anticipated future usage of the Cybersecurity Framework. While it was initially developed for critical infrastructure organizations, the framework has proven to be useful across a wide range of sectors, including schools, small businesses, and local and foreign governments. The new version seeks to build upon this success and support organizations of all sizes in their cybersecurity efforts.
Gathering Feedback for Continued Improvement
NIST has opened a comment period for the draft NIST Cybersecurity Framework 2.0, allowing stakeholders to provide feedback until November 4. This feedback will be crucial in further shaping the framework and ensuring its effectiveness in addressing the evolving challenges of cybersecurity. By taking into account the insights and recommendations of cybersecurity experts and organizations, NIST can continue to enhance the framework’s guidance and relevance in the face of emerging threats.
Conclusion
The release of the NIST Cybersecurity Framework 2.0 marks a significant step forward in the field of cybersecurity. By expanding the framework’s applicability to all organizations, regardless of size or industry, NIST recognizes the universal nature of cyber threats. The addition of the “Govern” function emphasizes the need for robust cybersecurity management and governance, acknowledging the dynamic nature of cybersecurity strategy. Organizations should seize the opportunity to provide feedback during the comment period, ensuring that the framework continues to evolve and remain effective in safeguarding against the ever-changing cybersecurity landscape. Ultimately, the NIST Cybersecurity Framework 2.0 serves as a valuable resource for organizations seeking to protect themselves and their stakeholders from the detrimental impacts of cyber threats.
<< photo by George Becker >>
The image is for illustrative purposes only and does not depict the actual situation.
